Article

Antecedents and Consequences of Data Breaches: A Systematic Review

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Research on data breaches is scattered across disciplines and methodologies. To help consolidate it, we review 43 articles on data breaches’ antecedents and 83 on their consequences. We find eight different categories each for antecedents and consequences. Most research is empirical-quantitative and employs an organizational unit of analysis. Theoretical lenses discovered range from a data breach as organizational crisis to criminological and privacy-specific theories. Our review provides researchers and practitioners with a synthesis of extant research and elaborates on future implications for data breach literature.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... They then tend to have concerns about the safety of their information and feel vulnerable to becoming a gossip target due to potential risks such as data breaches and unauthorized data access (Ayaburi & Treku, 2020;. As a result of privacy concerns and experienced vulnerability, customers tend to protect their privacy and respond to the business negatively ( Martin K.D, 2017;Schlackl et al., 2022). ...
... First, we advance the understanding of how customers respond to businesses' data privacy practices by highlighting the distinct effects of transparency and control on commitment. Gossip theory (Feinberg et al., 2012;Schlackl et al., 2022) suggests that transparency and control of businesses' privacy practices are the two major factors influencing customers' privacy concerns and vulnerability. Prior research has acknowledged that transparency acts as a suppressor of privacy concerns and vulnerability and leads to positive intended consequences (Kim et al., 2019;Shin et al., 2022); however, the literature has not reached a consensus on the effect of control (Brandimarte et al., 2013;Wang et al., 2016) and our understanding of the difference in the effects between transparency and control is limited. ...
... Second, we uncover the behavioral mechanisms underlying the effects of control and transparency in privacy practices, enriching our understanding of the behavior perspective of gossip theory (e.g., Schlackl et al., 2022). Very little research on gossip theory examines the mediators of privacy practices from a behavioral perspective (e.g., . ...
Article
Full-text available
Requesting personal information in frontline service encounters raises privacy concerns among customers. The proximity contact tracing that occurred during the COVID-19 pandemic provides an intriguing context of information requests. Hospitality venues required contact tracing details from customers, and customer cooperation varied with concerns about privacy. Drawing on gossip theory, we investigate the roles of businesses' data privacy practices and government support in driving customers' responses to contact tracing. Our findings show that perceived transparency of a business's privacy practices has a positive effect on customers' commitment to the business, while perceived control exerts a negative effect on commitment. These effects are mediated by customers' information falsification rather than disclosure, because the former is a sensitive behavioral indicator of privacy concerns. The results also reveal the moderating roles of government support. This research contributes to the customer data privacy literature by demonstrating the distinct effects of perceived transparency and control on commitment and revealing the underlying mechanism. Moreover, the research extends the conceptual understanding of privacy practices from online contexts to face-to-face contexts of frontline service. The findings offer implications for the management of customer data privacy.
... Also, whenever security and data governance frameworks are not checked and put in place previously, a research project is more likely to be at risk of personal data breaches through data theft, data loss, data disclosure to non-authorised parties and other unwanted intrusions (10). Generally, the number and severity of data breaches has increased as a result of digitalization and increased connectivity (20), and is currently a matter of concern (21). Data breaches often involve avoidable human errors (21), which means they are more than a technical issue. ...
... Data breaches often involve avoidable human errors (21), which means they are more than a technical issue. In fact, they might be related to technological factors, but also to organisational and managementrelated, human, and regulatory/auditing factors (20). Therefore, preventive measures might be implemented at different levels (20). ...
... In fact, they might be related to technological factors, but also to organisational and managementrelated, human, and regulatory/auditing factors (20). Therefore, preventive measures might be implemented at different levels (20). In scientific research, data security is frequently absent of the discussions about confidentiality and privacy (13,22), therefore, the risks of data theft, data loss and unauthorised access are likely neglected (13). ...
Article
Full-text available
Neighbourhood and health research often relies on personal location data (e.g., home address, daily itineraries), despite the risks of geoprivacy breaches. Thus, geoprivacy is an important emerging topic, contemplated in international regulations such as the General Data Protection Regulation. In this mini-review, we briefly assess the potential risks associated with the usage of personal location data and provide geoprivacy-preserving recommendations to be considered in epidemiological research. Risks include inference of personal information that the individual does not wish to disclose, reverse-identification and security breaches. Various measures should be implemented at different stages of a project (pre-data collection, data processing, data analysis/publication and data sharing) such as informed consent, pseudo-anonymization and geographical methods.
... Therefore, many studies employ the event study technique to investigate stock-market reactions by employing the event study technique (Goel & Shawky, 2009;Yayla & Hu, 2011, e.g., Bose & Leung, 2014. In fact, this technique, is the most commonly employed method to study the consequences of security breach events (Schlackl et al., 2022). These studies use stock market reactions to security breach events as proxies for the financial loss resulted from those events. ...
... Notwithstanding the contributions of studies that investigate the stock market reactions to security breach events, inconsistencies can be observed about the existence and magnitude of negative reactions to these events (Schlackl et al., 2022). For instance, while several studies have reported a statistically significant negative impact on the stock price of firms (Cavusoglu et al., 2004, e.g., Anthony et al., 2006, some other studies fail to find a statistically significant relationship in the negative (Bose & Leung, 2014, e.g., Arcuri et al., 2017 or positive (Hovav & D'Arcy, 2004, e.g., Bolster et al., 2010 direction. ...
Article
Concurrent with the increase in organizations’ reliance on IT systems for conducting business with their consumers and partners, there have been increases in the risk and instances of security breaches of IT systems. As a result, a large body of research has been conducted to study the financial consequences of such security breaches in general and stock market reactions using the event study methodology in particular. Notwithstanding the significant contributions of the extant studies on the topic, inconsistencies could be observed about the existence and magnitude of shareholders’ reactions to announcements of security breaches by firms. As such, this paper addresses this gap through a meta-analysis of 63 studies (with a total of 20,936 instances of security breach announcements). The results suggest that a significant relationship exists between announcements of security breach and a drop in the experiencing firms’ stock returns. In addition, this relationship is impacted by the type of security breach, time of the security breach event, the country in which the experiencing firms operate, and the size of those firms.
... It is not only the prospects of AI that need to be addressed but also the way it is currently used. Big data companies such as social media platforms are renowned for their ability to influence human behavior which has led to scandals and data privacy breaches (e.g., [46,47]). Not addressing this will only make it more difficult for policymakers to make any significant changes to how big tech companies leverage human data to maximize gain. ...
Article
Full-text available
One of the biggest challenges in Artificial Intelligence (AI) development and application is the lack of consideration for human enhancement as a cornerstone for its operationalization. Nor is there a universally accepted approach that guides best practices in this field. However, the behavioral science field offers suggestions on how to develop a sustainable and enriching relationship between humans and intelligent machines. This paper provides a three-level (micro, meso and macro) framework on how to humanize AI with the intention of enhancing human properties and experiences. It argues that humanizing AI will help make intelligent machines not just more efficient but will also make their application more ethical and human-centric. Suggestions to policymakers, organizations, and developers are made on how to implement this framework to fix existing issues in AI and create a more symbiotic relationship between humans and machines moving into the future.
Chapter
The value and intensified prevalence of digital assets have been well recognised in today’s digital age. Despite the benefits of digitalisation to firms, little is known regarding its potential dark side, that is, the concern on the digital assets leakage. For example, firms are now using on-demand IT services based on cloud technologies, which poses the risk of losing the right to control their information security. This chapter will discuss the research discourse on digital assets leakage and suggest protective mechanisms to counter back this problem, thus helping firms to maximise the value of digital assets in their digitalisation trajectories.KeywordsDigital assets leakageDigitizationSupply chainProtection mechanism
Conference Paper
Full-text available
Strategic transactions can affect a firm's structural complexity and data breach risk. Mergers and acquisitions increase data breach risk by increasing firm's structural complexity through the addition of new businesses and new IT interlinkages among the firm's existing and newly added businesses. Divestitures reduce firm's data breach risk by reducing the firm's structural complexity through the removal of some business units and associated IT interlinkages. Business partnerships increase firm's structural complexity and data breach risk by opening up the firm's IT environment to third party business partners and creating challenges in joint governance and control of the IT interface and interaction points of the partners. We find support for these ideas in a sample of 9784 U.S. firms during 2005-2017. The proposed theory explains how and why strategic initiatives increase firms' data breach risks.
Article
Full-text available
Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees' misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping-problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.
Article
Full-text available
Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. We argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT) (i.e., Chief Executive Officer [CEO], Chief Financial Officer [CFO], and Chief Information Officer [CIO]). Our results suggest that IT-savvy CEOs see technologies related to mitigating DSBs as a top-three most important type of digital methodology for their firm. Similarly, the results related to CFOs with IT expertise single out the critical investment in controls designed to prevent DSBs. Our strong findings for CIOs on the TMT add to the related guidance from COBIT 5 for information security and consistently suggest that they are the key executive for securing IT systems. Finally, our granular explanation of each executive’s DSB-related responsibility could potentially provide firms the start of a governance-led roadmap for compliance to the Securities and Exchange Commission’s and Justice Department’s cyber regulations.
Article
Full-text available
If the mantra “data is the new oil” of our digital economy is correct, then data leak incidents are the critical disasters in the online society. The initial goal of our research was to present a comprehensive database of data breaches of personal information that took place in 2018 and 2019. This information was to be drawn from press reports, industry studies, and reports from regulatory agencies across the world. This article identified the top 430 largest data breach incidents among more than 10,000 data breach incidents. In the process, we encountered many complications, especially regarding the lack of standardization of reporting. This article should be especially interesting to the readers of JDIQ because it describes both the range of data quality and consistency issues found as well as what was learned from the database created. The database that was created, available at https://www.databreachdb.com, shows that the number of data records breached in those top 430 incidents increased from around 4B in 2018 to more than 22B in 2019. This increase occurred despite the strong efforts from regulatory agencies across the world to enforce strict rules on data protection and privacy, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in May 2018. Such regulatory effort could explain the reason why there is such a large number of data breach cases reported in the European Union when compared to the U.S. (more than 10,000 data breaches publicly reported in the U.S. since 2018, while the EU reported more than 160,000 ¹ data breaches since May 2018). However, we still face the problem of an excessive number of breach incidents around the world. This research helps to understand the challenges of proper visibility of such incidents on a global scale. The results of this research can help government entities, regulatory bodies, security and data quality researchers, companies, and managers to improve the data quality of data breach reporting and increase the visibility of the data breach landscape around the world in the future.
Article
Full-text available
Despite the consensus that information security should become an important consideration in information technology (IT) governance rather than the sole responsibility of the IT department, important IT governance decisions are often made on the basis of fulfilling business needs with a minimal amount of attention paid to their implications for information security. We study how an important IT governance mechanism—the degree of centralized decision making—affects the likelihood of cybersecurity breaches. Examining a sample of 504 U.S. higher-education institutions over a four-year period, we find that a university with centralized IT governance is associated with fewer breaches. Interestingly, the effect of centralized IT governance is contingent on the heterogeneity of a university’s computing environment: Universities with more heterogeneous IT infrastructure benefit more from centralized IT decision making. In addition, we find the relationship between centralized governance and cybersecurity breaches is most pronounced in public universities and those with more intensive research activities. Collectively, these findings highlight the tradeoff between granting autonomy and flexibility in the use of information systems and enforcing standardized, organization-wide security protocols.
Article
Full-text available
ABSTRAC Data security incidents are continually increasing; hackers, governments, and other actors increasingly attempt to gain unauthorized access to confidential data. Information systems (IS) users are becoming more vulnerable to the risks of data breaches. Many stakeholders perceive cybersecurity incidents as indicators of firms' operational and technological internal deficiencies. Previous research has revealed that investors react negatively to data breaches, yet little is known about investors' reactions to material data security incidents. Using a sample of 232 data security incidents for 132 publicly traded companies in the United States, the authors applied an event study methodology to discern investors' reactions to material versus immaterial incidents. They also use multivariate regression and time-to-event analysis to examine what determines the degree of investors' reactions, considering several intervals around the event day. The results show that investors perceive material data security incidents as a deficiency of breached companies in comparison to immaterial incidents.
Conference Paper
Full-text available
Companies around the world are faced with challenges in dealing with data breaches. While in Germany companies need to notify the affected and fear to lose their valuable customers, in Bolivia, where rapid digital globalization increases vulnerability, data security overall is not a publicly present topic, and customers are directly exposed to the consequences of security incidents. Our study examines the cultural difference in addressing the digital challenge of recovering from data breaches. We investigate through a scenario-based experiment the effect of compensation and remorse on the customer-company relationship. Our results show that German customers are more likely to demand compensation for a data breach as a recovery action, whereas Bolivian customers are satisfied with an apology. We discuss this finding in the context of cross-cultural values and practical implications for countries that are currently undergoing a rapid rise in technology and are therefore exposed to substantial security risks.
Article
Full-text available
Insiders’ negligence or abuse is considered a leading cause for information security breaches in organizations. As most of the extant studies have largely examined insider threats at a high level of abstraction, the role of situational moral reasoning for information security policy (ISP) violations in specific situations has received little attention. To advance this line of research, this paper opens up a potentially fruitful path for IS researchers by applying the situational action theory (SAT) to contextually examine why employees violate ISPs in particular situations, such as violations of password security policy, Internet use policy, and confidential data security policy, while considering specific violation intents ranging from altruistic to malicious. The results support most of the assertions derived from SAT. Situational moral belief was found to be the predominant driver for ISP violation across three situations in an organizational setting. However, the moderation effect of moral belief was only significant in situations involving sharing passwords and selling confidential data. Sanction certainty and sanction severity were also found to take different effects across situations. Implications for IS security practitioners and suggestions for future research are presented.
Article
Full-text available
We examine whether firms learn from digital technology failures in the form of data breach events, based on the effectiveness of their failure responses. We argue that firms experiencing such technological failures interpret them broadly as organizational problems, and undertake unrelated divestitures and top management turnover to achieve better standardization and to remove dysfunctional routines. We test our hypotheses on unrelated subsidiary divestitures and chief technology officer (CTO) turnovers undertaken by 8,760 publicly traded U.S. firms that were at risk of experiencing data breaches involving the loss of personally identifiable information during the period 2005–2016. We find that data breaches significantly increase the hazard of unrelated divestitures and CTO turnover, and that these failure responses are sensitive to firms’ aspiration-performance feedback. However, whereas unrelated divestitures reduce the reoccurrence of data breaches, CTO turnover has no significant effect. Our findings suggest a corrective role of unrelated divestitures for failure learning, and the symbolic nature of CTO turnover as a failure response. Our study unpacks failure learning that hitherto has been inferred from a firm’s own failure experience and industry-wide failures, and highlights the interplay between the digital and nondigital components of a firm in the understudied context of data breaches. This work is licensed under a Creative Commons Attribution 4.0 International License. You are free to copy, distribute, transmit and adapt this work, but you must attribute this work as “Strategy Science. Copyright © 2020 The Author(s). https://doi.org/10.1287/stsc.2020.0106 , used under a Creative Commons Attribution License: https://creativecommons.org/licenses/by/4.0/ .”
Article
Full-text available
Prior information security studies have largely focused on understanding employee security behavior from a policy compliance perspective. We contend that there is a pressing need to develop a comprehensive understanding of the circumstances that lead to employee commitment of deliberate and malicious acts against organizational digital assets. Drawing on Routine Activity Theory (RAT), we seek to establish a comprehensive model of employee-committed malicious computer abuses (MCA) by investigating the motivations of the offenders, the suitability of the desired targets, and the effect of security guardianship in organizational settings. Specifically, we delineate the effects of the individual characteristics of self-control, hacking self-efficacy, and moral beliefs, and the organizational aspects of deterrence based on the routine activity framework of crime. We test this research model using subjects who held a wide range of corporate positions and varying degrees of computer skills. Our findings offer fresh insights on insider security threats, identify new directions for future research, and provide managers with prescriptive guidance for formulating effective security policies and management programs for preventing MCA in organizations.
Article
Full-text available
As recent cyber-attacks have been increasing exponentially, the importance of security training for employees also has become growing ever than before. In addition, it is suggested that security training and education be an effective method for discerning cyber-attacks within academia and industries. Despite the importance and the necessity of the training, prior study did not investigate the quantitative utility of security training in an organizational level. Due to the absence of referential studies, many firms are having troubles in making decisions with respect to arranging optimal security training programs with limited security budgets. The main objective of this study is to find out a relationship between cybersecurity training and the number of incidents of organizations. Thus, this study quantified the effectiveness of security training on security incidents as the first study. This research examined the relationship among three main factors; education time, education participants, and outsourcing with numbers of cybersecurity incidents. 7089 firm level data is analyzed through Poisson regression method. Based on analysis results, we found that the negative relationship between security trainings and the occurrence of cybersecurity incidents. This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective. The result of this study can be used as a referential guide for information security training decision-making procedure in organizations.
Article
Full-text available
We investigate the relationship between security breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnover likelihood is higher when they fail to meet IT performance expectations, as reflected by security breaches. Specifically, we find that breaches caused by system deficiency increase CIO turnover likelihood by 72 percent. However, we find no such association for breaches caused by criminal fraud or human error. We extend our analyses to other executives and document that CEOs are more likely to turn over following breaches caused by both system deficiency and human error, consistent with their broader role within the firm. By contrast, we find no evidence suggesting that CFOs are more likely to turn over following breaches. The findings indicate negative labor market consequences for executives who fail to meet performance expectations within the scope of their duties.
Conference Paper
Full-text available
The number of cybercrimes has exploded as the number of businesses are increasing. Data breaches is one of these security incidents that recently affected Hudson Bay's Co. While many studies have found negative relationship between data breach incidents and online shopping behavior the impact of breach severity on customer behavior has been rarely investigated. In this emergent paper we adapted Sitnik and Weingart's 's risky decision making framework to examine the effect of breach severity on risk perception risk aversion and online shopping intention. In preparation for the full-scope study, an experimental survey was conducted. The results of our pilot study provide evidence that breach severity can have different effects on risk perception.
Article
Full-text available
Technological advances have resulted in organizations digitalizing many parts of their operations. The threat landscape of cyberattacks is rapidly changing and the potential impact of such attacks is uncertain, because there is a lack of effective metrics, tools and frameworks to understand and assess the harm organizations face from cyber-attacks. In this article, we reflect on the literature on harm, and how it has been conceptualized in disciplines such as criminology and economics, and investigate how other notions such as risk and impact relate to harm. Based on an extensive literature survey and on reviewing news articles and databases reporting cyber-incidents, cybercrimes, hacks and other attacks, we identify various types of harm and create a taxonomy of cyber-harms encountered by organizations. This taxonomy comprises five broad themes: physical or digital harm; economic harm; psychological harm; reputational harm; and social and societal harm. In each of these themes, we present several cyber-harms that can result from cyber-attacks. To provide initial indications about how these different types of harm are connected and how cyber-harm in general may propagate, this article also analyses and draws insight from four real-world case studies, involving Sony (2011 and 2014), JPMorgan and Ashley Madison. We conclude by arguing for the need for analytical tools for organizational cyber-harm, which can be based on a taxonomy such as the one we propose here. These would allow organizations to identify corporate assets, link these to different types of cyber-harm, measure those harms and, finally, consider the security controls needed for the treatment of harm.
Article
Full-text available
Healthcare sector is identified as particularly vulnerable to digital data breaches and damages caused by illegal use of personal and confidential information. Facing such dangerous threat medical entities need to estimate financial consequences of potential cyber attack leading to a breach of patients’ data. The paper’s aim is to provide an overview of the consequences of digital data breach in healthcare sector and their financial impact – comparing Polish and global perspective. The research method used was analysis and comparison of international literature, reports, case studies, statistics concerning data breaches in healthcare sector as well as new legal regulations applicable in European Union. The results of the research show that estimations of total digital data breach costs vary widely among various reports and analysis. The main reasons are application of different methods of estimation and lack of complete and reliable databases due to insufficient disclosure of cyber incidents. In addition, the most important conclusion of the paper is that there is an urgent need to conduct research concerning probable data breach costs in Polish healthcare sector, since studies pursued by renowned organisations have not covered Poland so far.
Article
Full-text available
Organisations are highly interested in collecting and analysing customer data to enhance their service offerings and customer interaction. However, individuals increasingly fear how such practices may negatively affect them. Although previous studies have investigated individuals’ concerns about information privacy practices, the adverse consequences people associate with external actors accessing their personal information remain unclear. To mitigate customers’ fears, organisations need to know which adverse consequences individuals are afraid of and how to address those negative perceptions. To investigate this topic, we conducted 22 focus groups with 119 participants. We developed a comprehensive conceptualisation and categorisation of individuals’ perceived adverse consequences of access to their information that includes seven types of consequences: psychological, social, career-related, physical, resource-related, prosecution-related, and freedom-related. Although individuals may limit their interactions with an organisation owing to consequences they associate with both the organisation and other actors, organisations can apply preventive and corrective mechanisms to mitigate some of these negative perceptions. However, organisations’ scope of influence is limited and some fears may be mitigated only by individuals themselves or government regulation, if at all.
Article
This paper undertakes a systematic review of the Information Systems Security literature. The literature review consists of three parts: First, we perform topic modeling of major Information Systems journals to understand the field’s debates. Second, we conduct a Delphi Study composed of the Chief Information Security Officers of major corporations in the US to identify security issues that they view as important. Third, we compare Topic Modeling and the Delphi Study results and discuss key debates, gaps, and contradictions within the academic literature. Further, extant Information Systems Security literature is reviewed to discuss where the academic community has placed the research emphasis and what is now required in the discipline. Based on our analysis, we propose a future agenda for Information Systems security research.
Article
This research examines the joint effects of information technology (IT) strategies and security investments on organizational security breaches. We focus on two forms of IT strategies: digitalization and embeddedness in IT outsourcing networks. Our longitudinal analysis of U.S. hospitals demonstrates that IT security investments reduce security breaches in less digitalized organizations but increase security breaches for highly digitalized organizations. Investing in technical network control security systems such as anti-virus and intrusion detection systems reduces external breaches. Implementing identity and access management security systems such as biometric scanning and user authentication decreases internal breaches but increases external breaches. However, organizations’ embeddedness in IT outsourcing networks weakens the impacts of these technologies investments on external breaches but amplifies the negative relationship between identity and access management security systems and internal breaches. Our results offer an alternative understanding of organizational IT security investments and explain contrary results found in prior studies. Practical guidelines on organizational IT security strategies are discussed.
Article
In response to organizations’ increasing vulnerability to data breaches, we present an integrated risk model for data breach management based on a systematic review of the literature. Theoretically, the study extends the body of knowledge on data breach management by identifying and updating conceptualizations of data breach risks (items) and resolutions (actions) and by providing a foundation for organizational responses to emerging data breach incidents (heuristics). Practically, the study provides key insights that practitioners can use to organize and orchestrate effective data breach management based on comprehensive profiles of risk items and resolution techniques.
Article
As signals of internal control weaknesses, cyber security incidents can represent significant risk factors to the quality of financial reporting. We empirically assess the audit quality implications of data breaches for a large sample of US firms. Using a difference-indifference approach based on a matched sample of breached and non-breached firms, we find no evidence that cyber-security incidents result in a decline in audit quality. Instead, we observe positive shifts in four widely-used proxies for audit quality. We document that breached firms (i) experience a decrease in abnormal accruals, (ii) are less likely to report small profits or small earnings increases, (iii) are more likely to be issued a going concern report, and (iv) are less likely to restate their financial statements in the two years following a breach. Our results indicate that auditors effectively offset increases in audit risk through additional substantive testing and audit effort. Our evidence supports the view that auditors have increased their audit risk awareness and put in place adequate procedures to deal with the consequences of cyber-security incidents.
Article
This paper studies the financial consequences of a reported data breach for bank loan terms. Using a staggered difference-in-differences approach with treatment and control samples matched by data breach propensity, we find that firms that have reported data breaches face higher loan spreads and their loans are more likely to require collateral and demand more covenants. The effects are more pronounced when the data breach involves criminal activities or the loss of a large number of records, or when the breached firm belongs to certain industries or has a high IT reputation. Moreover, using the introduction of state mandatory data breach notification laws as an exogenous shock, we find that the negative effect of data breaches on bank loan terms is more significant after these laws took effect. Our evidence also suggests that breached firms that take more remedial actions following the breach incident receive less unfavorable loan terms. JEL Classifications: G10; G12.
Article
Data breaches are now a daily occurrence. What corporate leaders may not realize is that certain actions they are taking in the social responsibility space may, in fact, be placing a proverbial target on their backs. Indeed, there is evidence that the hacking community is not homogeneous, and at least some hackers from both internal and external sources appear to be motivated by what they dislike as opposed to solely financial gain. Recent hacks against the World Health Organization, as a result of its actions (or supposed inactions) related to the COVID-19 pandemic, are a case in point. In this paper, we put forth the idea that espoused positive social performance in areas that are peripheral to core business operations (e.g., philanthropy, recycling programs) can be a detriment to information security, particularly when firms have simultaneous high levels of social concerns (e.g., poor employee relations, product safety concerns, involvement in an environmental controversy). Our results support this outcome. It appears that some perpetrators can “sniff out” firm social actions that attempt to give the appearance of social responsibility and possibly mask poor social performance, and consequently, these firms are victimized by a malicious data breach more often.
Conference Paper
This paper investigates the association between board busyness (i.e., directors with multiple positions) and the occurrence of reported information security incidents. Building on prior studies of board busyness, this paper argues that directors holding multiple board seats may fail to commit the time and effort necessary to ensure the appropriate information security strategy or investment plans are in place. Our results demonstrate that board busyness is positively associated with reported information securityincidents. This effect is larger when independent directors are busy, thus suggesting the importance of the governance role played by independent directors in managing information security risks. The board of directors’ role has been emphasized in anecdotal evidence and IT governance frameworks, but our study empirically demonstrates the board’s relevance in information security strategy and management.
Article
Many small and medium enterprises (SMEs) engage in dyadic information integration partnerships or partial integration with their direct suppliers and customers. They often utilize e-commerce or cloud computing technology platforms hosted by third-party providers to leverage such partnerships. However, information security breaches and disruptions caused by cyberattacks are commonplace in the information technology industry. The effects of said disruptions and breaches on e-commerce businesses under varied disruption conditions are still uncertain. Furthermore, the effect of security breaches on nonparticipating members of the supply chain is poorly understood, especially under various disruption profiles. Using discrete event modeling, in this article, we explore the impact of disruption caused by information security breaches on supply chain performance and the externality effect of partial integration on nonparticipants. We also examine the impact of breach disruption frequency and remediation length on supply chain performance with varying levels of information sharing. These impacts were studied under two typical inventory replenishment policies for SMEs. It was determined that remediation length should be a prioritized factor in impact management and that flexibility in the inventory replenishment policy can help mitigate the impact of information disruption on the inventory performance of businesses, especially that of nonparticipants, in information-sharing partnerships.
Article
Cybersecurity is a serious and growing risk for organizations. Firms with board of director involvement in information technology governance (ITG) may be better equipped to deal with this risk. Yet little is known about the audit committee's role in ITG. This study uses efficiency and institutional theories to investigate the influence of security breaches and boardlevel technology committees on disclosing ITG roles in the audit committee charter. We develop hypotheses and test them using a sample of 189 firms. Results show that firms with a technology committee and a data breach are more likely to disclose ITG roles in the audit committee charter. This suggests that firms experiencing a data breach realize their vulnerability and by already having oversight at the board level, it is more natural for them to increase oversight by assigning ITG roles to the audit committee. We provide implications and areas for future research.
Article
We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack's out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm's risk appetite, as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target's industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors.
Article
A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.
Article
As social media continues to transform firm–customer interactions, firms must leverage customer reactions to generate actionable insights, especially in contexts (e.g., crisis events) where customer reactions are critical. Using the justice theory, we categorize customer reactions of two firms, Home Depot and Target, during the time-frame of a security hack to understand key themes/topics. We then map the themes/topics to customer sentiments in those reactions. We found that customers associate justice with simple procedures than the experience of dealing with the firm. In addition, it is critical for firms to carefully assess and control customer sentiments on social media during crisis events.
Conference Paper
A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-term study with employee interviews while embedded in the organization’s security division. Despite an extremely high level of financial investment in security, and consistent attention and involvement from the board, the interviews indicate a significant level of friction between employees and security. In the main themes that emerged from our data analysis, a number of factors shed light on the friction: fear of another breach leading to zero risk appetite, impossible security controls making non-compliance a norm, security theatre underminining the purpose of security policies, employees often trading-off security with productivity, and as such being treated as children in detention rather than employees trying to finish their paid jobs. This paper shows that post-breach security changes can be complex and sometimes risky due to emotions often being involved. Without an approach considerate of how humans and security interact, even with high financial investment, attempts to change an organization’s security behaviour may be ineffective.
Article
Effective use of electronic health records (EHRs) is considered an important step toward the goal of improving the quality of U.S. healthcare, while reducing its costs. However, did EHRs and a meaningful use (MU) initiative increase the risk of a breach of patient information as many people were worried about? This study shows that implementing EHRs led to a 3.081 times higher risk of a breach of patient information. This heightened risk was mostly driven by the occurrence of more accidental breaches. Undertaking MU initiatives increased the risk of accidental breaches by 1.771 times, but not the risk of malicious breaches. We also found that these risks increased more among relatively larger hospitals. We conclude that despite recent evidence that the usage of EHRS has improved the quality of healthcare, quality must go hand in hand with the protection of patient information. Thus, we argue that the government’s future revision of the criteria for MU should better reflect the risk of accidental breaches. Our study also suggests that policy makers should carefully address the possible increase in the risk of privacy breaches when considering whether to promote industry-wide adoption of digitized data and processes.
Article
This study provides insight into hackers’ reaction toward an information security breach perpetuated either with an ill or good intention. To our knowledge, limited research is available for promoting understanding of whether intent induces different perceived moral affect (i.e., a perpetrator should have feelings of regret, sorrow, guilt, and shame) which explains the effect of perceived intensity of emotional distress on responsibility judgment. Further, research is sparse on enhancing understanding of whether the nature of a perpetrator’s intent affects the moderating role of consideration of the consequences in the relationship between perceived moral affect and responsibility judgment. Increased understanding of the relationships among perceived moral affect, perceived intensity of emotional distress, consideration of the consequences, and responsibility judgment of an information security breach from the hackers’ perspective may shed light on their continued engagement in the act despite society’s disapproval. Analyzes of the responses of 166 hackers recruited at two major hacker conferences reveal that perceived moral affect mediates the effect of perceived intensity of emotional distress on responsibility judgment only in an ill intention breach, and consideration of the consequences strengthens the relationship between perceived moral affect and responsibility judgment only in a good intention breach.
Article
Persuasion is key to encourage compliance with information security policies through fear appeals, though research has not examined how the perceived quality of their arguments affects threat and coping appraisals. Because we know that perceived argument quality can influence attitudes and behavior, it may improve fear appeal effectiveness. The results of a scenario-based field experiment suggest that perceived argument quality increases response efficacy perceptions and compliance intentions. We also examine emerging heuristics about how to use realism checks in scenario-based research and find that current realism check heuristics in behavioral information security research may be misguided, contributing to biased interpretation.
Article
In this paper, we examine the consequences of data breaches for a breached company. We find the economic consequences are, on average, very small for breached companies. On average, breaches result in less than −0.3 percent cumulative abnormal returns in the short window around the breach disclosure. Except for a few catastrophic breaches, the nominal difference in cumulative abnormal returns between breach companies and the matched companies disappears within days after the breach. We also test whether data breaches affect future accounting measures of performance, audit and other fees, and future Sarbanes-Oxley Section 404 reports of material internal control weaknesses, but find no differences between breach and matched companies. Our results address the question why companies are not spending more to reduce breaches. We conclude by providing a few explanations of why there appears to be an effect at the economy-wide level, but no noticeable effect on individual company performance.
Article
Reputation threats on social media in the aftermath of a data breach is a critical concern to enterprises. We argue that any effort to minimize reputation threats will require an orderly assessment of how reputation threat manifests on social media. Drawing on crisis communication and social media literature, we analyze Twitter postings related to the 2014 Home Depot data breach. We identify a taxonomy of data breach frames and sub-frames and the related reputation threats as manifested by data breach responsibility-attributions and negative emotional responses. Results indicate that reputation threats vary for intentional, accidental, and victim data breach frames. Based on crisis stage theory, we also analyze the dynamics of evolving reputation threats as data breach situation unfolds on social media. Results suggest that the data breach frames and associated reputation threats vary across the crisis stages. Further, intentional and accidental frames increase subsequent responsibility-attributions and negative emotions. Tweets with responsibility-attributions further increase the subsequent generation of reputation-threatening tweets. Negative emotions, particularly anger and disgust, also increase subsequent reputation threats. Our study has implications for enterprise reputation management and word-of-mouth literature. The results yield valuable insights that can guide enterprise strategy for social media reputation management and post data breach intervention.
Article
Certification mechanisms are often employed to assess and signal difficult-to-observe management practices and foster improvement. In the U.S. healthcare sector, a certification mechanism called meaningful-use attestation was recently adopted as part of an effort to encourage electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. This new regime motivated us to examine how meaningful-use attestation influences the occurrence of data breaches. Using a propensity score matching technique combined with a difference-in-differences (DID) approach, our study shows that the impact of meaningful-use attestation is contingent on the nature of data breaches and the time frame. Hospitals that attest to having reached Stage 1 meaningful-use standards observe fewer external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches but eventually see long-term reductions. We do not find any link between malicious internal breaches and attestation. Our findings offer theoretical and practical insights into the effective design of certification mechanisms.
Article
In current business climate, a firm's information systems security is no longer independent from the industry's broader security environment. A question arises, then, whether stock market values reflect the interdependence of security breaches and investments. In this paper, we used the event study methodology to investigate how a firm's security breaches and IT security investments influence its competitors. We collected and reviewed 118 information security breaches and 98 IT security investment announcements from 2010 to 2017. We found substantial evidence supporting our hypothesis that information security breaches do, indeed, have a competition effect: when one firm is breached, its competitors have opportunities to absorb market power. For the IT security investment announcements, however, we observed the positive externalities, or contagion effect, in play: market investors feel that the security investments made by one firm increase the security level of the entire network, and hence, competitors also get benefits. Additionally, we found that the competition effect was higher when the breaches occurred after the preceding security investments than when there were no preceding investments before the breaches.
Article
We study the association between firms’ disclosures in Forms 10-K of the existence of trade secrets, and cyber theft of corporate data (which we refer to as “Breaches”). Prior academic research explaining occurrence of Breaches is scarce, and no prior study has focused specifically on Breaches that likely target trade secrets. We provide such evidence, and our use of Form 10-K contents related to trade secrets is a first step toward determining whether corporations actually attract Breach activity through their public disclosures. We find that firms mentioning the existence of trade secrets have a significantly higher subsequent probability of being Breached relative to firms that do not do so. Our results are stronger among younger firms, firms with fewer employees, and firms operating in less concentrated industries. By conducting a battery of additional tests, we attempt to go beyond merely establishing correlations to provide evidence whether such proprietary information can actually attract cyber attacks. Specifically, our results are robust to additional control variables, an instrumental variable approach, firm fixed effects, and a propensity score matching technique.
Article
Based on a review of 40 articles published in the information systems journals of the senior basket since 2006, this article presents refreshing and updated patterns of cross-cultural information systems (CCIS) research and suggests a roadmap for future research in CCIS. This 10-year systematic review contributes to the information systems community by unveiling three streams of transitions in CCIS research: (1) from national level to individual level with espoused and contextual cultural values, (2) from corporate users to end users, and (3) from West to East with the emergence of Chinese culture. The limitations and future research directions are presented.
Article
We introduce a new dataset that links publicly reported data breaches and financial outcomes at the firm-level. First, we document three new facts about the incidence of data breaches: (i) heavy skewness in the distribution of the scale of data breaches, (ii) heterogeneity in records breached by sector, and (iii) differences in records breached between publicly traded and private firms. Second, while we find some evidence, using cross-sectional variation and controlling for time-varying observable firm inputs, that a 10% rise in breaches is associated with approximately a 0.2% decline in firm productivity, the result is sensitive to different specifications and datasets. Third, we show that the absence of more reliable estimates is driven by non-classical measurement error arising from sample selection problems in publicly reported breach data. We conclude by discussing the importance of developing reliable measurement approaches for answering policy questions in cyber security.
Conference Paper
Following the 2017 Equifax data breach, we conducted four preliminary interviews to investigate how consumers view credit bureaus and the information flows around these agencies, what they perceive as risks of the Equifax breach, and how they reacted in practice. We found that although participants could properly articulate the purpose of credit bureaus, their understanding of credit bureaus' data collection practices was divided and incomplete. Although most of them conceptualized identity theft as the primary risk of data breaches disclosing credit information, and noted a lack of trust/self-efficacy in controlling their data collected by credit bureaus, they did not take sufficient protective actions to deal with the perceived risks. Our findings provide implications for the design of future security-enhancing tools regarding credit data, education and public policy, with the aim to empower consumers to better manage their sensitive data and protect themselves from future data breaches.
Article
The purpose of this study was to develop a model of factors associated with healthcare data breaches. Variables were operationalized as the healthcare facilities' level of exposure, level of security, and organizational factors. The outcome variable was the binary value for data breach/no data breach. Because healthcare data breaches carry the risk of personal health information exposure, corruption or destruction, this study is important to the healthcare field. Data were obtained from the Department of Health and Human Services database of healthcare facilities reporting data breaches and from a large national database of technical and organizational infrastructure information. Binary logistic regression was utilized to examine a representative data breach model. Results indicate several exposure, security and organizational factors significantly associated with healthcare data breaches.
Article
We investigated publicly reported security breaches of internal controls in corporate systems to determine whether SOX assessments are information bearing with respect to breaches which can lead to materially significant losses and misstatements. SOX Section 404 adverse decisions on effectiveness of controls occurred in 100% of credit card data breaches and around 33% of insider breaches. SOX 404 audits provided a contrarian "effective" control decisions on 88% of situations where there was a control breach concerning a portable device. We found that management and SOX 404 auditors do not general agree on the underlying internal control situation at any time; instead the SOX 404 team was likely to discover material weaknesses and "educate" management and internal audit teams about the importance of these control weaknesses. SOX attestations were poor at identifying control weaknesses from unintended disclosures, physical losses, hacking and malware. Hazard and occupancy models showed that both SOX 302 and 404 section audits provided information on the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls are effective; management "material weakness' attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there are significant deficiencies. SOX 404 attestations were the most informative, and a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%.
Conference Paper
This exploratory study investigates how potential information technology security breaches affect stock prices. Previous research indicates that stock markets tend to punish firms that experience unsolicited disclosure of information and proprietary data. However, little research exists on the question of whether firms are punished for creating the mere potential for data theft. Based on the information boundary theory, we design our exploratory research model. Subsequently, we utilize a sample of 4,147 stocks of firms headquartered in 43 countries to conduct multiple event studies. We reveal a delayed adverse stock market response to potential IT security breaches as well as a discrimination among firms operating in different industries. Consequently, this work enhances the understanding of the full economic impact of information security measures by shedding light on previously neglected hidden costs.
Article
In this study, the authors assess the effects of a data breach announcement (DBA) by a multichannel retailer on customer behavior. They exploit a natural experiment and use individual customer transaction data from the retailer to conduct a detailed and systematic empirical examination of the effects of a DBA on customer spending and channel migration behavior. To identify the effects, the authors compare the change in customer behavior before and after the DBA between a treatment group (customers whose information is breached) and a control group (customers whose information is not breached) using the difference-in-differences modeling framework. They find that although the data breach results in a significant decrease in customer spending, customers of the firm migrate from the breached to the unbreached channels of the retailer. The findings further reflect that customers with a higher retailer patronage are more forgiving because the negative effects of the DBA are lower for customers with a higher level of patronage. The authors propose and empirically test for the role of customer data vulnerability as the behavioral mechanism that drives customer behavior subsequent to a DBA. The authors offer prescriptions for managers on how to engage with customers following DBAs.